ADPulse: Open‑Source Read‑Only AD Security Scanner with 35 Checks
ADPulse is an open‑source, read‑only Active Directory security scanner that runs 35 built‑in checks, provides a 100‑point risk score, supports Pass‑the‑Hash authentication, and generates console, JSON, or self‑contained HTML reports with a single command, making it suitable for quick AD health assessments and penetration‑test reconnaissance.
Features
Pure read‑only – does not modify AD objects, group memberships, GPOs or ACLs.
35 security checks – covers password policy, ACL analysis and other attack surfaces.
Risk scoring – 100‑point scale with deductions based on severity.
Three report formats – colored console output, machine‑readable JSON, self‑contained HTML.
Low privilege requirement – most checks run with a standard domain user having read‑only rights.
Pass‑the‑Hash support – authentication with NTLM hash only.
Quick start
Requirements: Python 3.8+, network reachability to domain controllers (ports 636/389/445), and a domain user account with read‑only rights. Access to the SYSVOL share is required for the GPP/cpassword check.
Installation
# Clone repository
git clone https://github.com/dievus/ADPulse.git
cd ADPulse
# Create virtual environment (recommended)
python -m venv venv
# Activate virtual environment
# Linux / macOS:
source venv/bin/activate
# Windows:
venv\Scripts\activate
# Install dependencies
pip install -r requirements.txtBasic usage
# Minimal scan with clear‑text password
python ADPulse.py --domain corp.local --user jsmith --password 'P@ssw0rd!'
# Pass‑the‑Hash (no clear‑text password)
python ADPulse.py --domain corp.local --user jsmith --hash 31d6cfe0d16ae931b73c59d7e0c089c0
# Specify domain controller IP
python ADPulse.py --domain corp.local --user jsmith --password 'P@ssw0rd!' --dc-ip 10.0.0.1
# Generate only HTML report
python ADPulse.py --domain corp.local --user jsmith --password 'P@ssw0rd!' --report html
# Set output directory
python ADPulse.py --domain corp.local --user jsmith --password 'P@ssw0rd!' --output-dir /tmp/scansParameter reference
--domain – required: yes; default: —; description: target AD domain (e.g. corp.local).
--user – required: yes; default: —; description: domain username.
--password – mutually exclusive with --hash; default: —; description: clear‑text password.
--hash – mutually exclusive with --password; default: —; description: NTLM hash in LM:NT format.
--dc-ip – required: no; default: DNS auto‑resolve; description: explicit domain controller IP address.
--report – required: no; default: all; description: report format ( console, json, html, or all).
--output-dir – required: no; default: current directory; description: parent directory for report files.
--no-color – required: no; default: false; description: disable console colour.
Case studies
Case 1 – Rapid AD health check for a new environment
Scenario: a newly hired security engineer needs a quick overview of the AD security posture.
python ADPulse.py --domain company.local --user secadmin --password 'MyP@ss!' --report allSevere issues (3): GPP encrypted passwords in SYSVOL, 3 users with unconstrained delegation, 5 expired accounts in Domain Admins.
High‑risk issues (6): minimum password length of 6, 12 Kerberoastable accounts, domain functional level still at 2008 R2, etc.
Case 2 – Information gathering during a penetration test
Scenario: a red‑team needs fast enumeration of a target domain.
python ADPulse.py --domain target.local --user pentest --hash 31d6cfe0d16ae931b73c59d7e0c089c0 --report json8 Kerberoastable accounts discovered, 3 of which have adminCount=1 (high‑value targets).
ESC1 vulnerability detected: a certificate template allows client‑provided SubjectAltName with overly permissive enrollment rights.
2 user accounts have “password never expires” and passwords older than 180 days.
No SID history injection found – cross‑domain privilege escalation path excluded.
Case 3 – AD Certificate Services (ADCS) specific audit
Scenario: an organization needs to assess internal CA security after learning about ESC‑series vulnerabilities.
python ADPulse.py --domain bank.local --user auditor --password 'AuditP@ss!' --report html --output-dir ./adcs-auditESC1 : two certificate templates allow registrants to customize SubjectAltName and are enrollable by low‑privilege users.
ESC6 : CA server has EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled.
ESC8 : CA web enrollment endpoint ( /certsrv) uses HTTP, exposing NTLM relay risk.
ESC13 : administrator‑added OID group link could be abused for privilege escalation.
Weak keys: 5 of 14 certificate templates use 1024‑bit RSA keys.
Conclusion
ADPulse provides a practical, read‑only AD security audit capability with 35 checks and flexible reporting. It requires only a standard domain user account and introduces no write‑side risk, though using highly privileged domain‑controller accounts is discouraged.
Project URL: https://github.com/dievus/ADPulse
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.